Your PINs, accounts and invoices leaked onto net by City of Joburg

Share on facebook
Share on twitter
Share on linkedin
Share on email

A huge security flaw in the City of Johannesburg’s online services system appears to have led to its being closed down after it was revealed that personal invoices containing names, addresses, PINs and bank details were being hosted on the open web, rather than a secure area accessible by user accounts.

The flaw was uncovered by a MyBroadband forumite after authorities failed to act on his alerts. We haven’t been able to verify it as the system now has a notice saying it’s closed ‘due to technical difficulties’ and the City has yet to make a statement.

According to MyBroadband, the flaw means that anyone who could work out the direct URL could download your bills. Worse, they were being indexed by Google.

Should you be worried? Sadly, yes. The information that can be gleaned from the bills opens the door to identity theft. As the reader in question points out:

I can use these invoices to get myself RICAed or for any other purpose where one needs a utility bill.

It is relatively simple to write a small script to increment the counter, extract information from the PDF, and then store it for later data-mining.

Once you have access to a customer’s statement, you will have their account number and PIN and will then be able to access their account electronically as well as do any sort of social engineering.

I would guess for customers in credit I could attempt to change their banking details and then request a refund.

We’ll keep badgering for updates as soon as possible.

Adam Oxford

Adam Oxford

Adam is the Editorial Director at htxt media. He has been writing about technology for almost two full decades now. In a previous life, he was the editor of PC Format and Digital Camera Shopper in the UK, before going on to work as a freelance journalist for seven years. His work has appeared in or on Stuff, The Guardian, Linux Format, TechRadar,, PC Gamer, Green Futures, The Journalist, The Ecologist and The Review. Adam moved to South Africa in 2012 and loves 3D printers, MakerFairs and tech hubs. He hates seafood. None of his friends remember this when cooking.